CVE-2024-0766 MEDIUM

CVE-2024-0766: Envo's Elementor Templates & Widgets for WooCommerce <= 1.4.4 - Missing Authorization via templates_ajax_request

Vendor Envothemes

Product Envo's Templates & Widgets for Elementor and WooCommerce

Weakness CWE-284

Published February 28, 2024

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

4.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Envo's Elementor Templates & Widgets for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the templates_ajax_request function in all versions up to, and including, 1.4.4. This makes it possible for subscribers and higher to create templates.

Key dates

02Disclosure timeline

February 28, 2024 CVE published

April 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-0766

Related vulnerabilities

Identifiers

CVE CVE-2024-0766

CWE CWE-284

CVSS 4.3 / MEDIUM

Affected versions